L355 Epson wifi scanner

I want to set up a wireless all-in-one Epson printer L355 series on my NixOS unstable system.

I am having difficulties in making the scanner to work via network. Using the usb interface it already works, with the following in configuration.nix:

  hardware.sane = {
    enable = true;
    extraBackends = [ pkgs.epkowa ];
$ scanimage -L
device `epkowa:usb:001:007' is a Epson L355/L358 flatbed scanner
device `v4l:/dev/video0' is a Noname Integrated_Webcam_HD: Integrate virtual device
device `epson2:libusb:001:007' is a Epson PID 08A8 flatbed scanner

But it is not being found in the network. I have checked and it works in archlinux.

Help is very welcome!

For my epson EcoTank (wireless), I had to use all the below config.
services.printing and services.sane are quite obvious, but services.avahi could be the missing part in your config. It allows detection of device over the network in a protocol that the driver probably expects.

Did you try a direct usb connection ?

{ pkgs, ... }:
  # Enable CUPS to print documents.
  services.printing = {
    enable = true;
    drivers = [ pkgs.epson-escpr ];
    browsing = true;
    defaultShared = true;

  services.avahi = {
    enable = true;
    nssmdns = true;
    publish.enable = true;
    publish.addresses = true;
    publish.userServices = true;

  hardware.sane = {
    enable = true;
    extraBackends = [ pkgs.epson-escpr ];

Enabling services.avahi did not help accessing the scanner via the network. The printer was already working. So it seems that avahi is not the missing part.

Yes, I have tried and it works. The scanner is detected as: epkowa:usb:001:007' is a Epson L355/L358 flatbed scanner.

Maybe there is something to do with the way sane is packaged on NixOS. I will try to investigate this.

With the following in configuration.nix my scanner is detected using the built in epson2 sane backend, but only after disabling the firewall:

  hardware.sane.enable = true;
  networking.firewall.enable = false; # default is true
$ scanimage -L
device `v4l:/dev/video0' is a Noname Integrated_Webcam_HD: Integrate virtual device
device `epson2:net:' is a Epson PID 08A8 flatbed scanner

The question now is how to have it working with the firewall enabled. What port should be opened in the firewall?

Any clues?

It’s nice that you made progress !

I guess you could use wireshark to detect the ports that are used. But it could be that the port is not always the same. It may be simpler to disable the firewall on the local network, or to allow anything from the printer IP.

I know this is not much help, but it’s the best advice I can provide.
From [1] it looks like iscan-network-nt + sane-epson2 should be the solution, but we only package iscan-network-nt as part of epkowa. It may be a good idea to see if we can get iscan-network-nt + sane-epson2 working, but that would require more tinkering.

[1] SANE: Supported Devices

In fact, filtering the IP address of the scanner with the help of wireshark with the firewall disabled shows different ports each time the scanner is auto discovered.

There is an interesting comment on a related Fedora bug report, but there is not a fix there:

For auto-discovery, the epson2 backends sends a UDP broadcast to port 3289. I guess that the response is filtered by the firewall because the sender isn’t the broadcast address itself. In the case where you configure the scanner device manually, the device is addressed directly, therefore connection tracking rules apply and let the response through.

How to do that in configuration.nix?

It works without this in both archlinux and fedora 31.

Seems like the way to go is to address the scanner directly by ip, provided that this ip remains stable thanks to your local DHCP. See how to do that in the man pages here. That would avoid the discovery issues.

From the source we can see that indeed a broadcast is sent for discovery, and a reply expected on the same port. I have no idea how to allow that on a firewall.

I guess you will have to go with networking.firewall.extracommands and something like the following (but I am no iptable guru, so this may not be a correct iptables rule per se, and the OUTPUT rule may not be needed.)

  networking.firewall.extracommands = ''
    iptables -A INPUT -s XXX.XXX.XXX.XXX -j ACCEPT
    iptables -A OUTPUT -d  XXX.XXX.XXX.XXX -j ACCEPT

My scanner already receives the same IP from the local DHCP server (a wireless router). But it is not possible to edit the epson2.conf configuration file because it is installed read only in the nix store, and the sane module does not offer any means of changing it. This is a weak point of the sane module that maybe should be addressed.


CC @peti

Something like this could have worked, but apparently the way the config is generated does not support config clashes, and therefore does not support overriding the config.

I guess it is just a matter of turning ln -s into ln -sfn in pkgs/applications/graphics/sane/config.nix. Guess I should make a PR now :wink:

  hardware.sane.extraBackends = lib.singleton (pkgs.writeTextFile {
    name = "epson2.conf";
    text = ''
    destination = "/etc/sane.d/epson2.conf";
1 Like

See https://github.com/NixOS/nixpkgs/pull/78773 that makes the above trick work.